Rethink Request is how community partners and individuals tell us where a meal needs to go. To do that, we collect a small set of details — a name, a contact method, an address, what was requested. We don’t sell any of it. We don’t share it for advertising. Below is the plain-English breakdown of what we keep, why we keep it, and how long. Questions go to request@rethinkfood.org.
Rethink Food operates only in the United States, and Rethink Request is intended for users physically located in the New York City service area. We don’t knowingly offer the service to users in the European Union or United Kingdom, so the EU GDPR and UK GDPR don’t apply. California residents’ rights under the CCPA/CPRA are addressed in Your choices.
Who we are
- Legal name: Rethink Food NYC
- Status: 501(c)(3) nonprofit organization
- Main website: rethinkfood.org
- App: em.rethinkfood.org (“Rethink Request”)
- Email: request@rethinkfood.org
- Mail: 116 W Houston St, Floor 2, New York, NY 10012
Rethink Food coordinates emergency meal deliveries with restaurant and food-service partners, recipient organizations, and individuals across New York City.
What we collect
From the intake form
When you submit a meal request at /intake, we collect:
- Your name and email address
- Your phone number (optional, required only if you opt in to SMS)
- The delivery address (street, city, state, ZIP)
- The recipient organization and on-site contact
- Number of meals requested
- Requested delivery date and time window
- Urgency level
- Dietary notes
- Any internal notes you provide
- Your SMS consent choice (yes/no)
Audit and abuse-defense data
When you submit the form, we automatically log:
- Your IP address
- Your browser’s user agent string
- The timestamp of your submission
If you opt in to SMS, we additionally store these data points in a dedicated sms_consents audit table as legal proof of opt-in, as required by the federal Telephone Consumer Protection Act (TCPA) and CTIA messaging guidelines.
SMS messages and replies
If you opt in to SMS, we store every outbound message we send and every inbound reply you send back. Detailed message bodies are kept for 90 days; metadata (timestamp, direction, opt-in/opt-out status) is kept longer for compliance.
Admin login
Rethink Food staff who manage requests sign in through Auth.js v5. We set a session cookie strictly to keep them signed in. End users (people submitting meal requests) don’t create accounts and aren’t assigned cookies for tracking.
What we don’t collect
- No marketing, advertising, or analytics trackers
- No precise device location
- No payment information
- No information from children under 13 (knowingly)
Why we collect it
| Data | Purpose |
|---|---|
| Intake form data | Coordinating, approving, assigning, delivering, and confirming your request |
| Email address | Transactional emails about your request |
| Phone + SMS consent record | Operational two-way SMS about your request, plus TCPA proof of opt-in |
| IP and user agent | Spam and abuse defense; SMS-consent audit trail |
| Admin auth cookie | Keeping authorized Rethink Food staff signed in |
| Recipient org details | HubSpot CRM sync for grant reporting and ongoing coordination |
We don’t use your information for advertising, profiling, or behavioral targeting.
SMS program
If you opt in, we may text you about your meal request — confirmations, delivery updates, and the occasional follow-up question from our team. You can reply with questions and a real person will respond. Standard message and data rates apply. You can reply STOP at any time to opt out, or HELP for support. The full disclosure is below.
Two-way communication
This is a two-way conversation. We send operational status updates from our toll-free number +1-877-366-1764 (operated through Telnyx), and you can reply with questions or scheduling changes about your meal request. A member of Rethink Food staff reads replies and responds from our admin tool. Inbound and outbound messages are both stored in our secure database for operational record-keeping. There is no marketing, promotional, or third-party content of any kind.
How you opt in
Opt-in is by affirmative checkbox at Step 4 of the intake form. The checkbox is unchecked by default. The disclosure shown next to the checkbox reads:
“I agree to receive SMS updates about this meal request from Rethink Food at the phone number above. Message and data rates may apply. Reply STOP to opt out.”
We log the date, time, IP address, and user agent at the moment you check the box and submit the form.
Message frequency
Transactional, per-request only. Outbound messages are limited to up to three per request (approval, provider assigned, delivery arrived). Inbound replies and staff responses depend on the conversation. Total program volume is approximately 1,000 to 3,000 messages per month across all recipients.
Outbound message templates (verbatim)
Rethink Food: Your meal request was approved. {N} meals confirmed for {date} {window} at {site}. Reply STOP to opt out.Rethink Food: {provider} is delivering your meals to {site} on {date} {window}. Reply STOP to opt out.Rethink Food: Your meal delivery just arrived at {site}. Thank you! Reply STOP to opt out.
Staff replies vary based on the question asked but always include a STOP reminder when appropriate.
Opt-out (STOP)
Reply STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT to any message to opt out. We honor opt-outs immediately and add your number to a permanent suppression list.
Help (HELP)
Reply HELP to receive an auto-reply directing you to request@rethinkfood.org.
Cost
Message and data rates may apply.Rethink Food doesn’t charge you to receive these messages, but your wireless carrier may.
No sharing of phone numbers or consent for marketing
Rethink Food will not share, sell, rent, lease, or transfer phone numbers or SMS consent to any third party for marketing purposes, including affiliates. Phone numbers and consent records are used only to operate the SMS program described in this section, and are disclosed only to the service providers strictly required to deliver the messages (currently Telnyx) and as otherwise described in Who sees it.
Who sees it
We share information only with the service providers required to operate the app, and only as much as needed.
| Provider | Role | Privacy policy |
|---|---|---|
| Vercel | Hosting and edge network | Link |
| Neon / Vercel Postgres | Database (US-hosted) | Link |
| Telnyx | SMS delivery | Link |
| Resend | Transactional email | Link |
| SendGrid | Transactional email (fallback) | Link |
| HubSpot | CRM sync for partner organizations | Link |
| US Census Geocoding | Server-proxied address lookup (no PII forwarded beyond the typed address) | Link |
We may also disclose information when required by law, valid legal process, or to protect the rights, safety, or property of Rethink Food, our partners, or the public. We don’t sell personal information, and we don’t share personal information for cross-context behavioral advertising.
How long we keep it
- Detailed SMS logs (message body, recipient phone in
sms_events): 90 days, then deleted by a daily cron. - SMS consent and opt-out records: indefinitely as a TCPA compliance audit trail.
- Meal request records: indefinitely for nonprofit audit, grant reporting, and impact-measurement obligations. Older records may be aggregated or de-identified.
- Admin session cookies: expire on logout or after the session inactivity timeout.
- Abuse-defense IP/UA logs: up to 12 months and then purged unless tied to an active investigation.
You can request earlier deletion of your meal-request record by emailing request@rethinkfood.org. We’ll honor the request unless we’re legally required to retain the information.
How we protect it
- All traffic is encrypted in transit using TLS.
- Admin passwords are hashed at rest.
- Database credentials, API keys, and other secrets live in environment variables and aren’t exposed to client-side code.
- Access to production data is limited to authorized Rethink Food staff.
No system is perfectly secure. If we discover a breach affecting your information, we’ll notify you and any required regulators in accordance with applicable law.
Your choices
Everyone
Email request@rethinkfood.org to:
- Ask what information we hold about you
- Ask us to correct inaccurate information
- Ask us to delete your meal-request record (subject to retention requirements above)
- Opt out of email by replying or clicking unsubscribe
- Opt out of SMS by replying STOP
California residents (CCPA / CPRA)
If you’re a California resident, you have the following rights:
- Right to know what personal information we collect, use, and disclose
- Right to delete personal information we’ve collected
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing — we don’t sell personal information and don’t share it for cross-context behavioral advertising, so there’s nothing to opt out of
- Right to limit use of sensitive personal information — we don’t use sensitive personal information for purposes that trigger this right
- Right to non-discrimination for exercising any of these rights
To exercise these rights, email request@rethinkfood.orgwith the subject line “California Privacy Request.” We’ll verify by matching the information you provide against what we hold. You may use an authorized agent.
EU/UK residents
The app isn’t directed to or intended for users in the European Union or United Kingdom, and we don’t knowingly process EU/UK personal data. If you believe you’ve submitted information to us from the EU or UK, email request@rethinkfood.organd we’ll delete it.
Cookies and analytics
The app uses only one cookie: an authentication session cookie set by Auth.js v5 for Rethink Food staff who sign in. It’s strictly necessary, first-party, and not shared with any third party.
We don’t use:
- Marketing cookies
- Advertising cookies
- Analytics cookies (Google Analytics, etc.)
- Cross-site trackers, pixels, or fingerprinting
Because we use no non-essential cookies, no cookie-consent banner is required for U.S. users.
Children’s privacy
The app isn’t directed to children under 13, and we don’t knowingly collect personal information from children under 13. If you believe a child under 13 has submitted information through the intake form, email request@rethinkfood.organd we’ll delete it. This complies with the federal Children’s Online Privacy Protection Act (COPPA).
Changes to this policy
We may update this Privacy Policy from time to time. When we do, we’ll update the effective date at the top. If the change is material — for example, a change to how SMS data is used — we’ll provide additional notice (an in-app notice or a direct email) before it takes effect.
How to reach us
Rethink Food NYC
Email: request@rethinkfood.org
Mail: 116 W Houston St, Floor 2, New York, NY 10012
See also the Terms of Service.